|
|
|
|
|
|
|
|
|
|
xen-devel
Re: [Xen-devel] promiscuous mode?
> The default config uses bridging in domain 0 to connect together all
> of the guest NICs; in this case, guests will be able to see anything
> that is on the local network.
Although it's called a 'bridge', it's actually an L2 'switch' : a
domain will typically only see traffic that's sent to its MAC or
the broadcast/multicast MAC (once it's learnt where all the MAC
addresses live).
As with a physical network, you'd still be vulnerable to ARP
spoofing or forged src addr attacks that would enable an attacker
to see packets it shouldn't.
> If you want to enforce some 'privacy', you can configure things a
> little differently;
>
> a. use a 'routed' model in which domain0 acts as the gateway; in
> this case, no guest can see anything save point-to-point packets
> between itself and its opposite number in domain0. However it
> does mean a bit more hassle setting up interfaces in domain0.
>
> b. use ebtables -- this is an ethernet-level "firewall", which
> should allow you to configure whatever you want. Should be
> more flexible (i.e. can allow some guests to see all bcast
> packets, others to see some, others to see none) and more
> efficient. However I've never used it :-)
We build the bridge-nf patch into our linux 2.4 kernel by
default, so it's possible to use Linux's normal iptables commands
to filter traffic to domains at the IP level even is you're using
bridging rather than routing (bridge-nf is standard in
2.6). However, you'll need a relatively recent version of the
iptables user-space package that supports the 'physdev' module to
enable you to attach rules to specific VIFs.
The vif-bridge script contains an example invocation that stops
domains from spoofing there src IP address (though you have to be
careful about DHCP requests and such like).
ebtables is useful if you want to do purely L2-level (Ethernet)
filtering.
Ian
[perhaps someone could stick this in a FAQ...]
|
|
|
|
|